> ## Documentation Index
> Fetch the complete documentation index at: https://docs.autosana.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Network Allowlist

> Source IPs to allowlist for firewalls in front of your apps or APIs

If your test target or the APIs your [hooks](/hooks) call sit behind a firewall, allowlist Autosana's source IPs. The current list is at `GET /api/v1/network/allowlist`.

```bash theme={null}
curl -fsSL https://backend.autosana.ai/api/v1/network/allowlist \
  -H "X-API-Key: YOUR_API_KEY"
```

Grab `YOUR_API_KEY` from [Settings → Integrations](https://autosana.ai/settings?tab=integrations).

```json theme={null}
{
  "hook_runners": ["<ip>"],
  "flow_runners": {
    "ios":     ["<ip>", "..."],
    "android": ["<ip>", "..."],
    "web":     ["<ip>", "..."]
  },
  "documentation_url": "https://docs.autosana.ai/network-allowlist"
}
```

* **`hook_runners`** — source IPs for HTTP traffic from [hook scripts](/hooks). Stable; rarely changes. Allowlist on firewalls protecting APIs your hooks call.
* **`flow_runners`** — source IPs for traffic generated when running your tests (browser for web, device for mobile). **Changes without notice as we scale workers.** Allowlist on firewalls protecting your app under test.

## Staying in sync

We don't notify when IPs change — the endpoint is the source of truth. Three patterns:

1. **Poll from firewall-as-code** (Terraform, Cloudflare Worker, CI cron). The endpoint sends `Cache-Control: max-age=300`, so daily polling is cheap.
2. **Manual refresh.** Pull once a month, paste into your firewall.
3. **Broader CIDRs, no polling.** GCP us-west1 (filter [`cloud.json`](https://www.gstatic.com/ipranges/cloud.json) for `scope=us-west1`) covers Android + web. `207.254.0.0/16` covers iOS. Less precise, zero maintenance.

If hooks start returning 401/403 or flows hit connection errors against your test target, your allowlist is likely stale — pull the endpoint and diff.